Jack Jansen wrote:
> On Monday, August 25, 2003, at 06:36 AM, Guido van Rossum wrote:
>>> Well, in standard Python, the only access to the system is *also*
>> through extension modules -- if you count __builtin__ as an extension
>> module. The other extension module you want to avoid is the posix
>> module (under Windows, the nt module). It should be a simple matter
>> to remove this from your module search path.
>>> No, it isn't: simply doing "open = type(sys.stdout)" will revive open
> for you. So you'd really have to make sure no file objects are accessible
> either. And there's lots more loopholes like this.
>> With the current type system I think the only real solution would be
> to block this at a very low level, i.e. removing file objects from your
> build, or at least completely disabling their side-effects.
FWIW, Zope takes an approach to restricted Python code that's worth
considering. We once thought rexec and Bastion would eventually
supercede Zope's "RestrictedPython" package, so not a lot of effort went
into non-Zope-specific documentation. However, RestrictedPython has
outlived both rexec and Bastion, so maybe detailed documentation would
now be valuable.
Here is a general overview of the approach RestrictedPython takes:
- All builtins and modules are guilty until proven innocent. Restricted
modules have a special __builtins__ and an __import__ hook.
- We use a modified compiler, based on the now-standard compiler module,
to prevent exec statements and hook print statements. The compiler also
adds hooks for getattr, setattr, delattr, getitem, setitem, and delitem
operations. Augmented assignment is disallowed (too complicated to
support.)
- The type() builtin is considered unsafe. It opens a big unknown.
However, a same_type() builtin is provided, which is close enough for
most purposes. There are safe equivalents for other builtins as well.
- Here's the hard one for some people to swallow: the compiler prevents
restricted scripts from using names that start with an underscore.
Being able to define a name like "__import__" could get around the hooks.
This might be considered draconian, but no one has spotted any holes yet
in the safety net, and the benefit of being able to script in Python
outweighs the losses. It doesn't implement resource limitations, like
preventing scripts from eating up all available RAM or simply never
terminating. True resource limitations would require running scripts in
a separate process. RestrictedPython is also a boring name. However,
RestrictedPython is safer than anything else we know of in the Python world.
Shane